Measure employee cybersecurity awareness
Employees or users of the IT system are the most vulnerable part of the security chain and therefore the key element in ensuring the cybersecurity. Do not become a target. Fortify the cybersecurity defensive against attackers.
An attack simulation by means of a phishing test
Phishing is one of the most important social engineering techniques that ethical hackers use when testing cybersecurity awarness. It is a simulation of an attack with a false phishing e-mail message intended to check how many users wrongfully react to a malicious email received – click on the link, attachment, etc.
Phishing e-mails and phishing servers are equipped with mechanisms to allow the collection of statistical data and the number of users who react inadequately to a particular checkpoint.
This review reveals how technically robust your system is when it comes to such attacks (settings, security systems and, last but not least, user behaviour), while also effectively educating users about the accurate reactions.
What are the benefits?
A detailed written report provides an accurate statistical measurement of user activity at individual review checkpoints.
Frequently asked questions
Everything you need to know about running a controlled phishing test
Why is a phishing test necessary?
When a user is made part of security mechanisms, security solutions are critical. Regardless of the level of awareness, it is always necessary to reduce or minimise the possibility of an attack by using various security mechanisms and settings (additional security systems that will be more successful in detecting malicious files, mechanisms for detecting misleading e-mail messages, etc.). However, this only reduces the chances of an attack, it never full eliminates them.
In the event of such an attack, the weakest link in the chain is always the user, who either will or will not fall for the scam. It is therefore important to constantly and effectively inform users, thus greatly reducing the possibility that their reactions will be false in the event of an attack.
A good way of effectively notifying them is through actual “fire drills”, i.e. live tests. Live tests are significantly more successful than theoretical education. When an exercise/test is performed and the user realises, through their own example, they have been tricked, it will have a positive effect on their awareness. After the test, the user will also be significantly more alert to potential attacks.
What is the outcome of a phishing test?
A detailed written report consisting of two parts, which are presented in the form of a workshop:
- Management report
It is a concise overview for executives, providing the basic cybersecurity information.
- Technical report
This report, which is intended for the system administrator, contains important technical information about the test control points, i.e.: number of opened e-mails, number of clicks on a fake website, number of information actually entered on a fake website. It also contains statistical calculations for the entire group of users that have been included in the testing.
What are the varieties of a phishing test?
Phishing tests vary in terms of reactions we want to push the user into. There are four types of phishing tests available:
- A Phishing test with a fake portal with the purpose of tricking the user into entering a username and password
The main purpose of this test is to teach users not to enter their usernames and passwords into any unknown portals.
- A Phishing test using a Word/Excel attachment with the purpose of tricking the user into opening the attachment and activating a macro functionality
The main purpose of this test is to teach users not to open attachments of unknown origin and not to ignore a Word’s warning about the danger of activating the macro functionalities.
- A Phishing test with or without attachment with the purpose of tricking the user into an action that will create an undetected demo file at the user’s workstation and/or transfer this demo file from the workstation to our centre
The main purpose of this test is to teach users not to open emails of suspicious origin and/or not to click any unknown Internet connections or open files of unknown origin. By demonstrating the undetected creation of a demo file on a user’s workstation, the user can learn about the possible consequences of such behaviour “in real life”.
- A Phishing test with or without an attachment with the purpose to test the entire attack in order to gain full control over the user’s workstation
The main purpose of this test is to teach users not to open emails of suspicious origin and/or not to click any unknown Internet connections or open files of unknown origin. Such an attack is in fact an attempt to acquire a full control of the workstation, thus simulating the actual attack to the user and, consequently, testing the adequacy of all other security mechanisms that could prevent such an attack (anti-virus system, intrusion prevention system etc.).
How is a phishing test conducted?
The test is performed in the following stages:
- Testing of the environment
- Test performance
- Report preparation
As part of the preparatory work, we consult with the customer on the adequate version of the phishing test and the group of users included in the test (unless particular reasons are involved, we suggest that all employees of the company be included in the test).
Based on this information, we prepare a proposal of the e-mail text and layout, set up a fake login portal or prepare the proposed content of the attachments. Roughly, all drafts are already in place based on our experience regarding the best suitability of texts and layouts, and are tailored to the client’s corporate image. Client’s further details and wishes are also taken into consideration.
At this stage, it is important that all elements are prepared meticulously and carefully. At the same time, we always leave enough clues for an attentive user to detect the trap and not fall for the attack. If the test is too detailed or if we do not allow users a proper chance to detect the attack, its educational impact is diminished. Users who fall for the simulated attack and realise they could have prevented it after the test has already been performed, will be much more receptive to the message of the test.
This stage is followed by environment testing with the purpose of:
- testing the robustness of the environment (we provide the client with information on how susceptible the environment is to detect the underlying phishing attacks on its own etc.).
- identifying the settings required for the test to be successful.
The test is then performed. The test lasts from one up to three days. Experience shows that measurements are most relevant when acquired over such time period.
The test is concluded with the presentation of a detailed written report.
What about personal data security?
Since the performance involves users, great care must be taken to protect the personal data and personal integrity of an individual.
We must be aware that the purpose of the test should not and cannot be to identify specific users who do not comply with security principles at a particular control point. This is important because the greatest benefit of the test is to raise user awareness that comes with the test per se. Adding the component of publicly exposing an individual eliminates all benefits of the test.
The technical implementation of testing keeps the collection of specific personal information to a minimum. In the event of a fake portal test, we do not record data (i.e. usernames and passwords) but merely the activity – whether the user inserts any information at all.
As a contractor, we make sure that:
- Data that might still pertain to specific users are not accessed by an unauthorised person, but only by direct test operators.
- All operators performing the test act in accordance with data protection rules and are bound by them both morally and in writing.
- Individual user data is permanently deleted after the test is completed, while reports and similar documents are stored in properly protected environments.
When is the best time to perform a review?
The best time to perform the review is RIGHT NOW. In fact, the need for user safety awareness is constant, so no specific reasons exist to restrict testing.
When thinking about the suitability/unfitness of a certain time slot, keep in mind the following:
- During a collective leave of absence or when most users are on vacation, it is not appropriate to perform the test.
- It is reasonable to carry out the test at the time of the introduction of new rules and policies.
- It is also reasonable to carry out the test before group meetings or trainings at the company, where you can then present fresh results to users and talk about them.
How often should I perform a phishing test?
An important benefit of the test is the direct raise of user awareness. After the test, users will make sure to closely monitor the events and develop better reactions to similar attacks or tests in the future. In this respect, it makes sense to repeat the tests as often as possible.
On the other hand, various external factors (other projects, financial contribution, etc.) prevent the company from performing tests on a regular basis.
Practice shows that it is reasonable to carry them out at least once every 6 months or once every 12 months. In the event of repetitions, it makes sense to partially adjust the tests. Firstly, in order to prevent the users from finding out that they are, once again, participating in a test, and secondly, so that different aspects of awareness can be verified.
A comparison across tests is also important. After carrying out the test, companies perform specific activities intended to raise security awareness (internal training, additional security mechanisms, additional rules and security policies, etc.). A periodic comparison of test results gives the client an insight into the success/failure of the test and the implementation of all additional activities.
Test the different possibilities of misuse
External cybersecurity review
Internal cybersecurity review
Why can you trust us with a controlled phishing test?
As external independent consultants with specific knowledge and experience based on mutual trust and respect for data confidentiality, we can objectively assess the level of client’s cybersecurity.
Reduce the possibility of a successful attack
An independent security screening reveals the greatest vulnerabilities and analyses the state of the client’s IT environment, providing recommendations for removing such vulnerabilities.